ISA: 80% of Cyberattacks Preventable

This was written by Brynn Koeppen on Tuesday, June 23, 2009, 16:56.

The President of the Internet Security Alliance  (ISA) Larry Clinton brought insight to The New New Internet for improving cyber security. Mr. Clinton supports private sector market incentives and believes most cyber security problems can be solved with current technology. 

TheNewNewInternet:  What are your thoughts on having a Cyber Czar in the near future?

Larry Clinton:  The Internet Security Alliance is very supportive of the approach that the Obama Administration has announced.  We found their approach to be very sophisticated. I was at the White House and I saw the President go off script to emphasize that he will not mandate standards for the cyber security activities of the private sector; instead he will embrace the model put forth here at the Internet Security Alliance called the Social Contract. The model suggests that government and industry develop an entirely different partnership when engaging in collective defense. The traditional model of defense where the government takes over doesn’t work because the vast majority of the Internet is in the private sector’s hands. The Obama Administration recognizes the need to provide and improve market incentives for the private sector so that they will go beyond their own corporate needs and begin to embrace cyber security not only for their own purposes but also for the national interest.

TheNewNewInternet:  Do you think that contractors need monetary incentives to deal with the cyber security perspective?

Larry Clinton: There is a minority portion of the economy already makes the investments in information security/cyber security, the research suggests about 30 or 33%. This is largely because private organizations that do not currently see a sufficient return on investment therefore they don’t make the investments necessary to create a sustainable system of security.  For that element of the economy, which obviously includes a substantial number of government contractors; some additional incentives are going to be required. Monetary incentives are only one incentive that even the Internet Security Alliance advocates. The government routinely provides a series of incentives; liability incentives, tax breaks, awards programs, insurance benefits, procurement benefits, ways to get better scores when you are competing for government contracts, and that kind of thing. We were very happy to see that the Obama report stressed the need to address market incentives and use regulation only as a last resort but the incentive is not necessarily a tax break.

the single biggest vulnerability we have with regard to cyber security is human exposure.

The New New Internet: You mentioned the defense industrial base, do you think that program is working and do you think that should be expanded to include more companies?

Larry Clinton: The program is evolving and clearly working at a targeted level. Whether or not that should be expanded to the rest of the economy is much less clear. A lot of cyber security problems almost have nothing to do with the technology. Obviously there is technological component, but the single biggest threat or the single biggest vulnerability we have with regard to cyber security is human exposure.  It’s insiders, whether corrupted insiders or sloppy insiders or badly trained insiders who are creating vulnerabilities so in that sense it doesn’t have anything to do with technology and is largely technological. It is an open question as to whether or not the DIB model can be applied universally throughout the economy.

TheNewNewInternet:  Can you talk a little about the balance of the Cyber Coordinator in terms of national security and civil liberties?

Larry Clinton:  The President made it very, very clear that he was going to put into place several different elements that would be geared toward safeguarding civil liberties. The President recognizes that he will need a coordinator who can have a foot in the National Security Council and a foot with the National Economic Council because if we simply make decisions with regard to cyber security based on security interests we are going to substantially undermine our economic interests.  That will ruin our nation. The design of the Cyber Coordinator position as having allegiance to both the National Economic Council and the National Security Council provides greater assurance that the economic issues and the civil liberty issues will be addressed coequally with those of our National Security apparatus and that is how it should be.  That will be a bit more difficult to do but that is the right way to go and that is one of the things that we are very excited about in the Obama report.

TheNewNewInternet: What else can the President be doing in the interim?  What would you like to see six months from now or a year from now?

Larry Clinton:  We think they have established the correct architecture, now they have to build the building that matches that architecture. The Cyber Coordinator needs to develop a new national strategy that fully articulates what the incentives will be for the private sector to engage in this system of collective defense.  They also need to substantially increase the speed with which the government and industry adopt the practices, procedures and technologies. We know how to deal with 90% of the attacks simply by implementing the current best practices, standards and technologies.  We don’t need new technologies to be created.  We don’t need new standards to be created.  There is research about how to fix those problems.  The problem is people aren’t doing it.  That’s why an incentive program would solve 80 – 90% of the problem.  The other 10% of the problem is big, scary and enormously hard to deal with but in the short term getting an incentive program in place to address 80% of the problem is the most important.